[c-nsp] mac flapping on 6509 between core and fwsm

Randy randy_94108 at yahoo.com
Thu Apr 19 23:05:07 EDT 2012 

--- On Thu, 4/19/12, ryanL <ryan.landry at gmail.com> wrote:

> From: ryanL <ryan.landry at gmail.com>
> Subject: Re: [c-nsp] mac flapping on 6509 between core and fwsm
> To: "Randy" <randy_94108 at yahoo.com>
> Cc: "Mario Ruiz" <mruiznet at gmail.com>, cisco-nsp at puck.nether.net
> Date: Thursday, April 19, 2012, 6:58 PM
> On Thu, Apr 19, 2012 at 5:54 PM,
> Randy <randy_94108 at yahoo.com>
> wrote:
> > --- On Thu, 4/19/12, Mario Ruiz <mruiznet at gmail.com>
> wrote:
> 
> >
> > Who is reporting the mac-flaps - the 6509 with fwsm OR
> fwsm itself?
> >
> > it appears that you are seeing it on the 6509 that has
> the fwsm?
> >
> > if that is the case, the an arp-reply from host at
> 0024.f716.5142 is being seen via po30 and po579.
> >
> > Why do you have po30 on the same vlan as fwsm's outside
> int?
> >
> > Can you post relevant portions of the config?
> > ./Randy
> 
> the 6509 is basically our services layer. data center stuff.
> it has
> .1q trunks to the cores, where the cores in-turn pick up a
> .1q tag for
> the L3 subinterface. in this example, vl1250. vrrp is used
> between the
> two cores via the 6509. the 6509 also has .1q trunks to our
> back-end
> routers. in this example, vl1251. the back-end routers do
> hsrp. the
> fwsm in the 6509 bridges vl1250 and vl1251 in order to do
> transparent
> firewalling. pretty standard. vl1250 is outside, vl1251 is
> inside.
> 
> the 6509 is what is reporting the mac move, seeing it show
> up
> correctly on the uplink port to the core, and then seeing it
> show up
> incorrectly on the internal ec for the fwsm. the mac is the
> physical
> address of the core subint.
> 
> i'm wondering if the fwsm is doing some sort of "random"
> gratuitous or
> proxy arp. the fwsm, which essentially participates, sees
> the correct
> mac as an arp entry.
> 
> fwsm1/<context removed># sh arp
>     outside <ip removed>
> 0024.f716.5142
> 
> i seem to have stopped the mac move messages by doing the
> following
> towards my cores (on the 6509).
> 
> mac-address-table static 0024.f716.3242 vlan 1250 interface
> Port-channel40
> mac-address-table static 0024.f716.5142 vlan 1250 interface
> Port-channel30
> 
> not sure what, if anything, yet, that i'm breaking by doing
> this.
> 
> .rL


Yes! it fixed you issue because of the static-L2-entries you put in place.
It has not fixed the underlying-cause!
What you were seeing is not related to proxy-arp OR Gratuitous-Arp(that is an un-solicited "response" per-se)

If you wish to get to the bottom of this, feel free to post off-line.
./Randy

More information about the cisco-nsp mailing list